MAPE-K/MAPE-SAC: An interaction framework for adaptive systems with security assurance cases

摘要

Security certification establishes that a given system satisfies properties and constraints as specified in the system security profile. Mechanisms and techniques have been developed to assess if and how well the system complies with the properties, thereby providing a degree of confidence in the security certification. Generally, certification of security controls defined by NIST SP800-53 is performed at design time to provide confidence in a system's trustworthiness to achieve the organization's mission and business requirements. Assuring confidence in a self-adaptive system's security profile is challenging when both functional and security conditions may change at run time. Static security solutions are insufficient, given that dynamic application of defense mechanisms often needs to dynamically adapt security functionality at run time as part of self-protection. This security adaptation may hinder maintaining functional constraints or vice versa. In addition, adaptation capabilities may give rise to the need for dynamic certification, which can be a difficult procedure given the complexity of the security dependencies. Confidence in an information system's compliance with security constraints can be expressed using security assurance cases (SACs). NIST security controls are defined with a hierarchical structure that makes them amenable to being specified in terms of SACs. A collection of SACs for related security controls form a network that can be used to measure the confidence of security compliance through certification-based evidence. Once the system is deployed, environmental and functional uncertainties may require the coordination of functional and security adaptations. This paper introduces the MAPE-SAC, a security-focused feedback control loop, and its interaction with a MAPE-K, function and performance-focused control loop, to dynamically manage run-time adaptations in response to changes in functional and security conditions. We illustrate the use of both control loops and their interaction with an example of two independent systems that need to cooperate to facilitate autonomous search and rescue in the aftermath of a natural disaster.